It may have been a latecomer to the practice of offering cash rewards for reporting code flaws, but Microsoft is making up for lost time with an expansion of its security bug bounty program.
The Windows 8 giant started paying for vulnerability reports in June having ring-fenced a $100,000 prize pot just for security researchers …

Define Bug..

Re: Define Bug..

Do you think that if the NSA key was anything to do with the NSA that MS may have possibly called it something other than "NSA". Contrary to popular believe Microsoft does employ some really rather smart people, smart enough not to put an advert into their OS saying "Look here conspiracy theorists, here's something that you can use to say we're p0wned by The Man."

Of course all conspiracy theories like this run along the lines of "The Man is really smart, but I'm smarter than all of them, because they're secretly really idiots."

By the way, tell me about how SELinux is not written by the NSA and is totally reliable and in no way suspicious in any way. - Personally I don't think it is, but if you think that MS' NSA key is suspicious, the SELinux must be a giant flashing red light, or are you smart enough to understand the code, exactly in every way?

So tired of all these fake "security professionals"

"While some in the infosec community may be less than happy about allowing others to participate in the bug bounty program"

... oh, come on, please define this "infosec community" The ratio of script executors vs. actual people who understand a vulnerability is very, very close to zero.

There are very, very few people in the world that are good at finding vulnerabilities. And on top of that, they have a very lucrative black market on which to sell their work, so it is only natural that MS sets such a high price in order to compete. Microsoft is trying to attract the people who really understand and practice security from the army of "security consultants" that merely have a copy of BackTrack/Kali installed on a laptop and run across business scaring owners with mile long lists of "vulnerabilities" that they have found and calling themselves "security consultants". They can't even explain what they found, or how it is relevant to the context, but hey, they are there.

(I suspect these "professionals" are in part the same ones that were calling themselves "web developers" a few years ago and were churning ColdFusion or Flash contortions as fast as they were paid for doing it by the same clueless businesses that now are paying these "security consultants")

Now, seriously, could The Reg do a piece about how one of these "security consultants" can actually do more harm than good if let loose on a business or corporation? I'm sure we can have lots of war histories about "security professionals" actually creating a less secure environment by their clueless scanning and remediation.